States Introducing Privacy Legislation

Written by: Charles R. Langhorne IV, Esq.

2021 is off to a hot start with many states introducing private sector privacy legislation. In this article I will outline:

  • Virginia
  • Washington
  • Oklahoma
  • New York
  • Minnesota


Virginia seems to be on track to win the race for the quickest to pass a privacy law. The Consumer Data Protection Act (“CDPA”) has been passed by the state’s House and Senate legislatures and seems poised to be on the Governor’s desk by the time the legislative session ends on February 11, 2021. The CDPA is very similar to California’s Consumer Privacy Protection Act.

To Whom Does It Apply?

The CDPA applies to anyone who meets both requirements below.

Requirement 1

        1. Conducting business in Virginia; or
        2. anyone producing products or services targeted to residents of Virginia;

Requirement 2

        1. Controls or processes the personal data of at least 100,000 Virginia residents in a calendar year; or
        2. Controls or processes personal data of 25,000 Virginia residents and derives 50% of its gross revenue from the sale of personal data.

Consumer Rights

Virginia residents have the following rights:

  1. Right to access the personal data.
  2. Right to correct inaccuracies in personal data.
  3. Right to have their personal data deleted.
  4. Right to obtain a copy of their personal data.
  5. Right to opt-out of further processing of their personal data.

Privacy Policy Requirements

Anyone subject to CDPA must maintain a website privacy notice that contains the following information:

  1. The categories of personal data being processed;
  2. The purpose for processing personal data;
  3. How Virginia residents may exercise their rights under the CDPA;
  4. The categories of personal data shared with third parties; and
  5. The categories of third parties with whom personal data is shared.

Data Processors

The CDPA requires data controllers to enter into a written data processing agreement with its processors (read: subcontractors).

Violations & Enforcement

The CDPA does not provide a private right of action for data controllers that violate the statute. Instead, purported violations are investigated by the Virginia Attorney General. Notably, there is a 30-day cure period for a data controller to remedy any violations before the Attorney General will begin enforcement.

Violations found to be in breach of the CDPA will cost a data controller up to $7,500 per violation.

When is it Effective?

The CDPA becomes effective on January 1, 2023.


This marks the third time Washington’s legislature has attempted to pass a privacy law. SB 5062 would be the most comprehensive and robust privacy law in the United States. It combines many provisions from California’s CCPA and the European Union’s General Data Protection Regulation.

This bill is not yet out of committee. We will continue to monitor its progress.


Oklahoma’s proposed legislation is much more limited than CCPA and CDPA. It requires businesses to post privacy notices, but does not afford Oklahoma residents any rights.

This bill is not yet out of committee. We will continue to monitor its progress.

New York

To date, New York has proposed five different privacy related bills:

  1. Assembly Bill A400
  2. Assembly Bill A405
  3. Assembly Bill A674
  4. Assembly Bill A680
  5. Senate Bill S567

These bills cover all manner of requirements including: prohibiting businesses disclosure of certain types of personal data; rules governing personal data processed for targeted advertising purposes; website privacy notices; and rights that can be exercised by New York residents.

None of these bills are out of committee. We will continue to monitor their progress.


Minnesota’s HF 36 is very similar to CCPA in that it imposes obligations on businesses collecting and processing data and provides rights to Minnesota residents. What is most notable in this bill is that it provides a private right of action for Minnesota residents to sue for purported violations.

This bill is not yet out of committee. We will continue to monitor its progress.

Leave a comment